exceptional encryption for everyone

Thursday, September 24, 2015

Don't Believe the Hype

In today’s world of incessant tweets and plagiarized status updates, the over-sensationalized media engine is living in its prime. Our scrolling consumption of spoon-fed news drives attention to bold headliners and embedded buzzwords. Cluttered articles drowning in adverts often reveal little more than an ocean of regurgitated commentary masquerading as fact.

This perpetuated misinformation propaganda inevitably leads to false perceptions and misguided discussions that border more on conspiracy theory than sound technical understanding.

Let’s do a quick coherency check on some recent publications relating to the security of surespot’s private messaging service…

Media Headlines:

“The drone strikes that killed British jihadists in Syria were aided by intelligence received after GCHQ and its US allies cracked encrypted Islamic State communications. The security services successfully hacked an encrypted messenger trusted by the fighters…”

“Reyaad Khan and Junaid Hussain's communications had been infiltrated. Intelligence agency GCHQ and allies in the US had hacked an encrypted messaging service used by Reyaad Khan and Junaid Hussain to track their movements. Hussain was targeted shortly after clicking what was thought to be a “poison link” sent to him on Surespot, a messenger service extremists believe has been compromised by agents.”

Hacked surespot? That’s a bold statement.

ISIS targets Reyaad Khan and Junaid Hussain published their usernames on twitter inviting the world to become their friends.

The two men accepted a friend invite from a stranger and exchanged messages with that stranger.

That stranger turned out to be an undercover agent.

Hussain clicked on a poison link sent to him by said undercover agent.

Once opened, the link sent him to an unknown web page.

The fraudulent web page downloaded a virus to his phone from his web browser.

Hussain placed a phone call from his home after his phone was infected with the virus from the false website.

The virus was allegedly able to track information from his phone that authorities could then use to follow him.

Although the phone was infiltrated through a malicious web site, nowhere in this scenario were surespot encrypted messages hacked.

This event has no correlation to the encryption or privacy protections of surespot. The same scenario could have taken place through email, text or any other messenger on his phone. If the GCHQ did actually hack surespot, this would mean that they would have jeopardized the ECDH 521 Bit Key Agreement Protocol, involving more than just surespot users in the process. That scenario would mean that any electronic service using the same protocol is also compromised, including certain SSL ciphers used to secure banking transactions and millions of websites.

Surespot did what it is supposed to do; send a private encrypted message.

Clicking on a link will open it in a different application such as your default web-browser, which is not your messaging app. Additionally, encrypted messaging apps are not antivirus security tools.

This is a great reminder for all of us on the importance of using good security practices to protect our own communications proactively, no differently than we would with our home computers. If one visits unknown pages or converses with strangers who send suspicious links, it’s not a matter of if, but only when one will be attacked. This is no different than receiving emails, phone calls or social media friend requests from unknown sources. If you cannot trust your own contacts or you don’t know who they are, a private messenger app cannot help protect you from them.

If any confusion exists as to the role surespot played in these events, consider a simple analogy:

If someone were to mail a box containing illegal goods to an unsuspecting recipient and that recipient was arrested by law enforcement, would that be the fault of the mail carrier? Was USPS hacked? Or, did they safely deliver the package? Mail carriers are not responsible for advising individuals on who they should trust or accept mail from.

A quick review of basic guidelines for all messaging app users:

For anyone thinking of using the app for illegal purposes…

Don’t. Uninstall the app.

For everyone else…

Don’t publish your username on social media.

Don’t message with people you don’t know.

Don’t click on links sent by people you don’t know.

Clicking on links opens them in different apps, such as your default web browser.

A web browser is not your messaging app.

Encrypted messaging apps are not antivirus security tools.

Due to the sensitive nature of encryption services in an era of increased terror threat, companies like surespot will always be under attack by media and those working to thwart such threats. We should all remember that media is largely influenced and often entirely controlled by governments and special interest groups. It is in the interest of authorities to project the idea that surespot was hacked in order to discourage more people from using the app, because it is so secure.